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REPORT OF AUDIT 
Office of Data Processing 
For the Period 

1 July 1978 - 30 September 1980 


SUMMARY 


1. Financial controls, procedures and records of 
the Office of Data Processing (ODP) were in accordance 
with Agency regulations. Prior audit recommendations, 
with the exception of -som-e pertaining to disaster 
recovery, were satisfactorily resolved. Minor 
administrative matters, including the need to better 
monitor prior fiscal year unliquidated obligations, were 
discussed with responsible officials and resolved during 
the audit. This report includes comments and 
recommendations concerning the following: 


o formalizing the'position of the Operations 
Security Officer 


o completing a written disaster recovery plan 
for the two computer centers 
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o improving fire safety in the Special Center 
o implementing technical data security controls. 


SCOPE 

2. The audit included a review of administrative 
functions to evaluate the effectiveness of controls and 
procedures and to assure compliance with Agency 
regulations. Financial and logistical transactions were 
tested to determine that documentation, approvals and 
certifications were in accordance with applicable 
accounting and reporting requirements and to ensure that 
expenditures were within the scope of authorized 
activities. 

3. The audit also included reviews and tests within 
both computer centers to determine that established 
procedures and other documentation were sufficient, 
adequate and followed to protect against potential 
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security and safety risks. A survey of ODP/Applications 
was performed to identify the standards and procedures 
utilized for application systems development. Because 
the ODP is still in the process of revising their 
applications development standards, no tests were 
conducted to determine use or compliance with the 
standards. 


BACKGROUND 


4. ODP provides a central computer service to 
satisfy automatic data processing (ADP) requests from. 
Agency components and to satisfy Intelligence Community 
requirements as assigne d. In perfo rming this service ODP 


had a personnel ceiling 
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o review and coordinate Agency proposals for the 
acquisition of computer hardware (including 
word processing equipment) , software, and 
services; 
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o operate two computer centers (Ruffing and Special) 
to provide facilities and services for batch and 
interactive computer processing, data base management, 
and on-line information storage and retrieval; 


o perform analysis of requirements for ADP services, 
develop and implement application systems , and 
perform maintenance and production control of 
completed application programs. 

5. The ODP's operating budget for Fiscal Year 1980 
is summarized as follows: 
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DETAILED COMMENTS 


Operations Securi ty Officer 


7 


7. During the audit numerous potential 
security weaknesses and safety hazards were observed in 
the two computer centers (primarily in the Ruffing 
Center). When these problems were brought to the 
attention of the ODP/Operat ions Security Officer, they 
were promptly corrected. The position of Operations 
Security Officer was established by ODP on a temporary 
basis to develop and implement a security awareness 
program for the two computer centers. By ODP's account 
the security awareness program is successful. The 
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continuous enforcement of security and safety practices 
is of vital importance to the Agency. The ODP should 
formalize the position of Operations Security Officer by 
making it a permanent position, by writing a job 
description, and by giving the incumbent clear lines of 
authority. 

Recommendation #1: Formally designate a position 
as Operations Security Officer and have the 
incumbent report to the Deputy Director ODP/ 
Processing to ensure adequate authority to 
administer an operations security program. 

Disaster Recovery Plan 


) 


8. The prior report of audit discussed the 
need for a disaster recovery plan to minimize the 
magnitude of service interruption in an emergency 
situation. ODP informed the Audit Staff that they would 
develop a methodology for determining the Agency's 

m 

emergency ADP requirements; prepare and cost out a plan; 
and with higher management approval undertake the 
necessary preparation to execute the plan. The ODP has 
developed a disaster plan that relies on moving critical 
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applications to a surviving center. But ODP has not 
identified or prioritized the critical applications; 
planned for the move; nor tested the compatabi 1 i ty of 
either computer center with the other's data. Until these 
steps are completed the current disaster plan can not be 
considered sufficient for actual use in an emergency. 
'Recommendation #2: Identify and prioritize the 

( 

\ Agency's emergency ADP requirements and develop 

i 

written operating procedures to ensure a 
I - successful exchange of applications between the 
[ two computer centers. Also provide for periodic 
updates and tests of the plan after development. 




Fire Safety 


9. improvements in fire safety are needed in the 
Special Center. The Special Center is so filled with 
computer hardware and data storage material that in case 
of fire it is questionable if employees could make a safe 
and orderly exit from the center. Safe exit from the 
tape library is particularly doubtful. The ODP is aware 
of the problem, and have requested an architectual study to 
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provide sufficient and adequate emergency exits. Until 
that study is completed ODP should continue to identify 
ways to improve fire safety within the Special Center. 

Recommendation #3: Continue efforts to improve fire safety 
- within the Special Center. 

Data Secu r ity Controls 


10. For many years the ODP has recognized that 
technical security controls to protect sensitive data 
were inadequate. In lieu of sufficient technical 
controls manual procedures were applied. Recently 
improved technical security control systems have become 
available. The ODP currently is installing one such 
system called Access Control Facility - 2 (ACF-2) . The 
ACF—2 requires a prolonged and carefully coordinated 
implementation. Once fully implemented, ACF-2 should 
significantly improve the security of sensitive 
computerized data. No additional recommendation is 

a 

required. 
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